TEAM: Huntress Managed ITDR, ISPM
PRODUCT: Huntress ISPM
ENVIRONMENT: Microsoft 365
SUMMARY: Common and frequently asked questions for Early Access into ISPM (Identity Security Posture Management)
In This Article
Onboarding
Compliance/Security Controls
Compliance Rating/Score
Managing Controls / Policies
Potential Gaps
Onboarding
Q. What happens if your organization does not have Enterprise App v5+ ?
A. When you go through the enablement process from the Nav bar, you will be guided to add existing ITDR organizations on this screen:
The ISPM Status chips will guide as to whether an organization is able to activate ISPM.
- Not Applicable - The organization does not have Enterprise App v5 (Or they are GCC CPV client)
- Eligible - The organization is ready for ISPM, click View to enable them.
- Enabled - The organization has ISPM enabled.
- Disabled - The organization has ISPM disabled.
For eligible organizations, once you click “View” you will be able to enable ISPM. Or (if ineligible) you will be presented with a further confirmation that you cannot enable ISPM for that organization. In EA, the reasons may be light so best to direct questions to your Account Manager.
Q. Why am I seeing the Explore Your Huntress Trial section in the dashboard after enrolling for Early Access?
A. We are using a Trial-Based Feature flag for ISPM while in Early Access. There is no trial expiration date like other trials, so this will exist until we move over to full General Availability (GA)
Q. Will Huntress Managed ISPM be available without an ITDR subscription?
A. Yes. The product team confirmed that Managed ISPM is expected to be available without an ITDR subscription at GA on July 1.
Compliance/Security Controls
Q. When deploying a Conditional Access Policy (CAP) or a security control - How long should it take?
A. Changes are deployed immediately into the Microsoft tenant. There is a retry mechanism to ensure that the change is accepted by Graph which is 5 attempts, 5 seconds in-between. In testing, we can see the changes live within 1-2 minutes in the MS portal. This may slow as we get busier and have to queue more settings to more tenants but the expectation is within a couple of minutes, not on an hourly/daily schedule.
If a change fails, there is no immediate on-screen feedback in Early Access. We have the ISPM Actions Log which the user can browse to. Right now, if something fails we will log it in ISPM Actions and create an Escalation.
Q. How often does Huntress scan to see if a fix has been applied to a recommended setting?
- A.
If a user enforces something in the Huntress portal. We'll push the change immediately and re-run the scan to confirm that it was successful. - If something that was compliant drifts into non-compliance. That's when we'll see it in the Microsoft audit log, typically within 15 minutes, and we will take action immediately.
Q. What is this Security Control, what does it do?
A. Security Controls all have a fully detailed description of what it does, why we have it, the impact etc. If you click Manage next to a security control, you will open a screen like this:
Q. What is this Conditional Access Policy (CAP), what does it do?
A. Huntress Managed CA policies have a brief description which will appear in the portal on or immediately after EA. In the meantime here they are:
| Policy Name | Description |
| [HUNTRESS] Block legacy authentication methods | Turns off legacy authentication protocols like POP, IMAP, and basic-auth Exchange endpoints to eliminate weak, password-only sign-ins. |
| [HUNTRESS] Require MFA for all users | Requires every user in the organization to complete multifactor authentication when signing in to Microsoft 365 services. |
| [HUNTRESS] Require Administrative accounts to sign-in more frequently | Ensures that browser-based administrative sessions are regularly deauthenticated and not kept alive for an indefinite period of time |
| [HUNTRESS] Block ability to sign-in using a device code | Blocks the simple PIN type logins which can be used by devices such as smart TVs, IoT devices and printers. |
| [HUNTRESS] Restrict managed access to the Azure portal | Ensures that access to administrative portals is blocked for standard user accounts |
| [HUNTRESS] Require MFA to join devices | Ensures that devices can only be registered with Microsoft Entra by a user authenticated with MFA |
| [HUNTRESS] Block unused device types | Ensures that only devices with Windows, MacOS, Android and iOS Operating Systems are allowed to connect to Microsoft 365. |
| [HUNTRESS] Block downloads for Guest users | Ensures that Guest accounts are unable to download files from the Microsoft 365 portals. |
| [HUNTRESS] Turn off persistent browser sessions | Ensures that browser sessions need to be regularly re-authenticated on unmanaged/non-compliant devices |
| [HUNTRESS] Restrict Guests from using Microsoft Office clients | Ensures that Guest accounts cannot connect to Microsoft 365 using the Office clients and must exclusively use web-access. |
| [HUNTRESS] Enforce an idle session timeout for browser-based applications | Ensures that idle browser sessions need to be re-authenticated on unmanaged/non-compliant devices |
Q. Why isn't my existing Conditional Access Policy (CAP) showing as compliant? Currently, our system specifically looks for Huntress-managed policies to verify compliance. Even if your existing policy meets the technical requirements, it will not be flagged as compliant at this time.
Q. Will I be able to use my own policies for compliance in the future? Yes. We are developing an "Adopt" feature that will allow you to link your existing policies to Huntress. Once adopted, our system will recognize them as meeting compliance standards.
Examples of Impacted Policies
The following are examples of policies that may show as non-compliant if you already have a matching Conditional Access policy in place:
Block Legacy Authentication:
Require MFA for all users
MFA for Entra Join
Note: These changes may impact other active Conditional Access Policies within your environment. We recommend reviewing your current configurations before making adjustments.
Managing Controls / Conditional Access Policies (CAP)
Q. When enforcing security controls, do these happen at the User/identity/Org or Account Level
A. Security Controls are deployed tenant wide for a specific organisation. During Early Access we have a one-org-at-a-time UI dashboard. This will evolve as we move towards GA into being a streamlined experience for managing multiple organisations with ease.
Q. Can I create my own custom security controls/baselines?
A. No. ISPM is a managed platform which is underpinned by our Identity Security Framework. It’s a continually evolving set of standards/settings based on what we see in hacker tradecraft. ISPM isn’t a toolkit just to deploy policies and save time on deployments. In our GA release, the team at Huntress will continually track what “good” looks like in security and apply those settings to the tenant(s). Rather than putting the work back on you to define your “baselines”, you onboard with ISPM and we’ll take care of the settings.
Q. If I can’t customize settings/have my own baseline, am I losing control?
A. Not at all. ISPM will provide all the security settings your tenant needs and more, constantly maintained and deployed, taking the headache out of bringing consistency to all of your managed tenants. Of course you can still opt-out of specific security controls because we understand that organizations have individual needs.
Q. What are Enforcement Groups?
A. This is readiness for our GA release. Enforcement groups will be a streamlined way for us to deploy the set of Security Policies or CA policies in scheduled tranches. During EA, there is no functionality for this.
Q. What standards does your Security Framework align with?
A. Initially the security controls and policies will be built out to align with CIS Benchmark for Microsoft 365. However there are significant enhancements over this based on our experience of hacker tradecraft and securing >10M identities.
Q. How does Continuous Enforcement work?
A. When you enable a security control for Continuous Enforcement this means that ISPM will attempt to keep that control compliant. If we detect and change/drift, ISPM will put the setting back to Compliant. If the control repeatedly keeps being made non-compliant, after 3 auto-remediations we will create an Escalation for you to investigate further.
Q. I deployed a Security Control and caused an issue, how do I undo it?
A. All of our managed Security Controls have a rollback capability where we revert the setting. Prior to deploying a change, ISPM captures the previous state and stores it for safety in case you do need to rollback. The option to revert the setting can be found on the Action Menu of the Security Control.
Note: You cannot revert a setting whilst Continuous Enforcement is enabled so you’ll be guided to switch that off prior to rolling back the Security Control.
Q. I received the following error when attempting to Edit/disable a policy. How do I disable it?
"This Policy is managed by continuous enforcement and cannot be modified manually."
A. The pop-up you encountered is because Continuous Enforcement is active. This feature prevents direct modifications to the policy from the Conditional Access page, ensuring configuration integrity.
To update the policy or add an exclusion, please follow these steps:
Step 1: Disable Continuous Enforcement
Navigate to ISPM → Security Controls.
Locate the security control associated with HUNTRESS Block Legacy Authentication.
Toggle Continuous Enforcement to Off.
Step 2: Update the Conditional Access Policy
Once enforcement is disabled, return to the Conditional Access Policy page where you can:
Disable the policy entirely, OR
Add the exclusion like
John@Domain.com.
Note: It is recommended to re-enable Continuous Enforcement once your changes are complete to maintain your security posture.
Q. If Huntress is removed, do changes implemented through ISPM automatically revert to their previous state, or do they remain as the new baseline?
A: Huntress will not roll back any changes upon de-provisioning. Any security configurations implemented through the platform will remain in their current state and become the new baseline for the tenant. None of our CAPs are Huntress-specific, and these will only increase the tenant's security posture.
Q. Can I adopt and enforce pre-existing Conditional Access Policies today?
A. Not today. Current enforcement requires the Huntress-managed versions of the supported policies. An adopt capability is planned for the future, but no ETA was provided in the thread.
Compliance Rating/Score
Q. What rating/settings is possible with my/clients m365 environment and current licensing
A. In Early Access, ISPM is not able to guide on which features can/can’t be turned on. We have limited license awareness e.g. if you don’t have the licence then we will disable the Conditional Access functionality. But there may be some security controls which the user can deploy and will fail if they don’t have the licence. We will refine for GA.
Q. Which Microsoft 365 license is recommended for a higher score
A. Microsoft 365 Business Premium is recommended for small businesses (< 300 users). Microsoft 365 E3 or E5 for larger organisations. During Early Access, provided the tenant has Entra ID P1 then the Entra settings and Conditional Access policies will be supported.
Q. What is a good average score, what should we aim for
A. 80% is considered a good benchmark for most organisations.
Q. Why can’t I achieve 100%
A. 100% isn’t realistically attainable. Microsoft made this challenging by needing additional specific security licenses, but also by having controls that may not apply to your organization. If you don’t use Mac’s you’ll miss out on the +0.49% improvement to Secure Score. And honestly it’s not that important. That’s why with ISPM we’re focussing more on the whole security of the tenant, providing specific guidance and relevant settings, not chasing Secure Score improvements.
Q. Measurement Metrics: Could you provide a detailed breakdown of how the Microsoft Secure Score is currently measured within our environment?
A. The Microsoft Secure Score is imported directly from the Microsoft tenant; Huntress does not alter this metric. Separately, the Huntress Score is currently measured by the number of compliant controls out of the total available (e.g., XX/34).
Q. Enhanced Visibility: Are there recommended methods or tools to gain deeper visibility into the specific variables influencing the Microsoft Secure Score?
A. If you are looking for granular details regarding the Microsoft Secure Score, the Microsoft 365 Defender portal remains the primary and best source for that data.
API and integrations
Q. What Huntress API data is currently available for ISPM?
A. Today, the Huntress API exposes identity-level data through the identities endpoint, including detailed information for identities monitored by ITDR and ISPM. Additional ISPM-specific API coverage is planned as the product matures.
Q. Do existing usage-based integrations work with ISPM?
A. Yes. The product team stated that ISPM reports usage through the same mechanisms as other Huntress products, so the usual downstream integrations should work as expected.
Reporting and roadmap
Q. Will exportable partner reports be available at general availability?
A. No. Exportable reports are no longer a GA target and are now considered a follow-on priority.
Q. What additional control coverage is planned for GA?
A. The current GA target includes the most valuable Exchange and SharePoint controls that can be delivered through Microsoft Graph. Intune support is not expected at GA.
Q. What additional platform features are expected by GA?
A. The team also called out Conditional Access Discovery for impact analysis and Managed Deployment as planned additions around GA.
Q. Is reporting aligned to Essential 8 planned?
A. Yes. Essential 8 reporting, along with other framework-aligned reporting such as CIS, is on the roadmap.
Potential Gaps
Q. Why aren’t there any security controls for Exchange, SharePoint, Teams, Intune?
A. Early access is focused on Entra and Conditional Access. Between EA and GA (July 1) we will be ramping on the security controls and capabilities across the Microsoft 365 security suite.
Q. Can I schedule a change to take place on a specific date rather than right now?
A. Not during Early Access but we looking to bring this capability into the GA launch
Q. I received an escalation that I can't close due to not having a Reject or Resolve button.
A. During ISPM EA, we may test out new capabilities that could trigger an escalation that will not be resolvable on your end. If you happen to run across one of these, please reach out to Customer Support.
Q. Why did I receive an alert about not having two Global Admins (GA) when I see two in Microsoft's Dashboard?
A. We are currently looking for non-service principal accounts, i.e., potential real people for this requirement. We are also discussing this functionality during EA, as it may need to be adjusted prior to GA.
Q. Will you be supporting GWS?
A. Not at this time. In the future, yes, however there are no firm dates planned for GWS support.
Q. Can I generate reports for my Executive/Customer/Prospect?
A. There are no reports available in Early Access but GA will have a full reporting capability including summary reports and detailed reports suitable for different audiences.
Q. Does Managed ISPM integrate with any PSAs/ticketing systems at EA?
A. Managed ISPM supports all currently supported ticketing systems. This includes Autotask, Connectwise PSA, HaloPSA, Kaseya BMS.
Q. Will you be supporting (insert name of framework CMMC/NIS/ISO etc)?
A. We will absolutely be adding support for more reporting aligned to specific frameworks. Please add your recommendations on our Feedback Portal or upvote exisiting requests so we can get a good sense of demand of which one to focus on first.
Q. Why are you recommending PowerShell Scripts instead of providing Microsoft Dashboard guidance to disable the creation of Security Groups and Microsoft 365 Groups for Azure Portals, API, or PowerShell?
A. The Microsoft Dashboard is prone to changes. A PowerShell script will always accomplish the goal without the need to locate a specific button in their Admin Consoles.
Q. Bulk Management: Does the platform currently support the bulk application of multiple security controls across several tenants simultaneously?
A. In the current Early Access (EA) phase, you can manage security controls on a per-control basis across multiple tenants via the account-level view.
Q. We’ve observed that "Global Continuous Enforcement" does not always apply immediately, requiring a manual re-application. Could you clarify the expected behavior?
A. We are currently reviewing this behavior to determine if there is an underlying synchronization delay or a specific trigger requirement.
Q. Global Security Templates: Is there a capability to establish a "Global Set" of security controls that can be activated by default across all managed organizations?
A. As we transition to General Availability (GA), we will enhance the UI to support multi-tenant deployment with multi-security control sets. We also plan to enhance management capabilities to allow for settings to be deployed automatically on behalf of the partner.
Q. What should I do if an ISPM policy causes an admin login loop?
A. The first recommended step is to revert the Authentication Policy Migration Status control. If the issue persists, allow 15 to 30 minutes for Microsoft propagation, then review and potentially revert the related secure authentication methods control identified by the product team as the likely cause.